The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory mapping post-quantum cryptography (PQC) standards to common enterprise hardware and software categories, giving CIOs and security teams an early reference for evaluating quantum-safe technology readiness.
Issued in response to a June 6, 2025 executive order on strengthening federal cybersecurity, the advisory identifies classes of IT products that already use, or are transitioning toward, NIST-standardized PQC algorithms. CISA said the lists are intended to guide procurement and long-term migration planning as agencies assess systems that rely on public-key cryptography.
For enterprises, the guidance signals that quantum-safe cryptography is becoming a practical procurement consideration today, while also highlighting gaps. CISA noted that many listed product categories have implemented PQC for limited functions, such as key establishment, but are not yet fully quantum-resistant.
CISA noted PQC-ready product categories
The advisory highlighted several technology categories where PQC-compatible solutions are already available (or are in active transition) to help organizations evaluate purchase decisions and plan migration.
The advisory highlighted that several product categories under hardware and software are already using PQC Standards. These include cloud services (PaaS, IaaS), collaboration software (chat/messaging), web software (browsers and servers), and endpoint security (DAR security and full disk encryption).
